All news in category “Incidents and Data Breaches”

🔒 The Canadian Investment Regulatory Organization (CIRO) confirmed a data breach that affected roughly 750,000 Canadian investors. The threat was identified on August 11 and disclosed on August 18, with an extensive forensic analysis completed January 14. Compromised records vary by person and may include dates of birth, phone numbers, income details, social insurance numbers, government IDs, account numbers, and statements. CIRO said it does not store login credentials and will offer two years of free credit monitoring to impacted investors.

🚨 Ukrainian and German authorities have identified two Ukrainians allegedly working for the Russia-linked ransomware-as-a-service group Black Basta, while the group's suspected leader, 35-year-old Russian national Oleg Evgenievich Nefedov, has been added to the EU Most Wanted and INTERPOL Red Notice lists. Investigators say the suspects acted as "hash crackers," extracting credentials used to breach corporate networks and deploy ransomware. Searches in Ivano-Frankivsk and Lviv yielded digital storage devices and cryptocurrency assets. Black Basta emerged in April 2022 and is linked to attacks on more than 500 organizations and hundreds of millions in illicit cryptocurrency profits.

🔒 Socket discovered malicious Chrome extensions on the Web Store that mimicked productivity and security tools for enterprise HR and ERP systems and had been installed over 2,300 times. The five extensions targeted Workday, NetSuite, and SAP SuccessFactors, employing cookie exfiltration, DOM manipulation to block admin pages, and cookie injection to enable session hijacking. Google removed the extensions after notification; affected users should report use to administrators, perform incident response, and change credentials on impacted platforms.

⚠️ LayerX researchers identified 17 malicious browser extensions tied to the GhostPoster campaign that collectively recorded about 840,000 installs across Chrome, Firefox, and Edge. The extensions concealed heavily obfuscated JavaScript inside image files and icons to monitor browsing activity, implant a backdoor, hijack affiliate links, and inject invisible iframes for ad and click fraud. A more advanced variant in an Instagram Downloader extension used staged execution and bundled image payloads to evade detection; stores have removed the listed extensions, but installed users may still be compromised.

📞 This Unit 42 engagement recounts how an attacker used social engineering to impersonate employees and manipulate payroll, IT, and HR help desks to reset passwords and re-enroll MFA, ultimately redirecting direct-deposit payments into attacker-controlled accounts. Unit 42 investigated using Cortex XSIAM and correlated payroll, HR, and firewall telemetry to contain the compromise to three accounts, reverse fraudulent payroll changes, and harden identity controls. The case underscores how human-driven workflows can be exploited to bypass technical defenses and cause targeted financial fraud.

🔒 A cross-site scripting (XSS) flaw in the web control panel for the StealC info‑stealer allowed researchers to observe active operator sessions, capture session cookies and harvest browser and hardware fingerprints. CyberArk exploited the issue to identify an operator’s location and device details after a panel user failed to route traffic through a VPN. The company withheld technical disclosure to avoid a quick fix and said the finding may disrupt StealC’s MaaS ecosystem.

🚨 German and Ukrainian authorities have identified Oleg Evgenievich Nefedov as the leader of the Black Basta ransomware group and added him to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Raids in the Ivano-Frankivsk and Lviv regions targeted two alleged members who specialized in initial access, hash cracking and privilege escalation, and yielded seized digital storage and cryptocurrency assets. Black Basta, linked to the defunct Conti syndicate, has been tied to more than 600 incidents worldwide affecting major organizations.

🔒 Cisco Talos describes an actor tracked as UAT-8837, active since at least 2025, that targeted North American critical infrastructure to gain initial access. The group exploited both compromised credentials and a Sitecore ViewState deserialization zero-day (CVE-2025-53690), with Mandiant linking the flaw to deployment of the WeepSteel reconnaissance backdoor. Post-compromise activity focused on credential theft, Active Directory enumeration, and use of living-off-the-land utilities and open-source tools to evade detection.

📱 Verizon has begun sending text messages to primary account holders explaining how to redeem a $20 account credit after a nationwide wireless outage on January 14. The message apologizes and instructs customers to log in at Verizon.com, click the "Take action" indicator under Mobile, then select "Redeem Now." The credit is limited to one $20 per account and is intended to offset multiple days of disrupted service; customers still seeing connectivity problems are advised to restart their devices.

⚠ Security researchers uncovered five malicious Chrome extensions that impersonate HR and ERP platforms, including Workday and NetSuite, to harvest authentication tokens and facilitate session takeovers. The add-ons exfiltrate cookies to attacker-controlled APIs, manipulate DOM content to block administrative pages, and can inject stolen cookies to hijack sessions. Most were removed from the Chrome Web Store but remain available on third-party download sites; affected users should remove the extensions, reset credentials, and audit for unauthorized access.

🔒 Sophos researchers warn that the TamperedChef malvertising campaign is delivering trojanised PDF manuals and fake downloads to organisations worldwide. Attackers use malicious adverts and promoted search results to trick users searching for technical manuals into installing an infostealer that harvests browser-stored credentials and contacts a C2 server. A second-stage payload, ManualFinderApp.exe, is a trojanised application that acts as both an infostealer and a persistent backdoor. The campaign employs delayed activation, staged payload delivery and code-signing abuse to evade detection; organisations should avoid clicking advert links and obtain software only from official vendor sites.

🔍 This Flash Hunting Findings brief describes an active campaign (Jan 11–15, 2026) distributing ZIP archives that impersonate vendors such as Malwarebytes and use a consistent behash (4acaac53c8340a8c236c91e68244e6cb) for identification. Each archive bundles a legitimate EXE and a malicious CoreMessaging.dll which is executed via DLL sideloading and subsequently drops secondary-stage infostealers. Analysts can pivot using embedded TXT files (gitconfig.com.txt / Agreement_About.txt), unique metadata signature strings, exported function names, the supplied YARA rule, or the VirusTotal collection to map related infrastructure.

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.

⚠️ Cisco Talos says a China-aligned advanced persistent threat tracked as UAT-8837 has been leveraging a critical Sitecore zero-day (CVE-2025-53690, CVSS 9.0) to gain initial access to North American critical infrastructure. The actor uses both exploit-based access and compromised credentials, then deploys open-source tools for credential harvesting, Active Directory reconnaissance, and persistent remote access. Observed artifacts include GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, Rubeus, and Certipy, raising supply chain and OT exposure concerns.

🔒 Researchers at Wiz found a subtle misconfiguration in AWS CodeBuild build-trigger handling that could let unauthenticated actors infiltrate build environments and leak credentials. A two-character mistake in an unanchored regex filter allowed threat actor ID bypasses, putting public repositories such as the AWS JavaScript SDK at risk. AWS patched the issue within 48 hours, hardening CodeBuild and auditing public build logs. Wiz recommends anchored regexes, fine-grained PATs, and stricter build gates to reduce exposure.

🔒 Utrecht-based Eurail BV has confirmed that an unauthorized party accessed its customer database, potentially exposing a range of personal information for Interrail pass holders and some DiscoverEU participants. Affected items may include identification data (first and last name, date of birth, gender), contact details (email, home address, telephone) and passport details (number, issuing country, expiry). The company says the investigation is ongoing and that there is currently no indication the data have been misused or publicly shared; it is advising customers to remain vigilant, change passwords for Rail Planner and related accounts, and consult the provider’s FAQ for guidance.

🔒 Grubhub confirmed unauthorized actors downloaded data from certain systems and said it investigated, halted the activity, and is taking steps to strengthen its security posture. The company stated that financial information and order histories were not affected but declined to answer further questions about timing, affected users, or extortion. Grubhub said it is working with a third-party cybersecurity firm and law enforcement, while sources tell BleepingComputer that threat actors are demanding payment.

🛠️ Verizon confirmed that a nationwide wireless outage on January 14 was caused by a software issue and said there is no indication the disruption was a cybersecurity incident. The outage left many customers nationwide unable to make calls, with phones stuck in SOS mode and callers sometimes hearing that the "called party is temporarily unavailable." New York City officials warned some Verizon customers might not be able to reach 911. Verizon said engineers resolved the problem the same day, advised restarts, apologized, and will provide a $20 credit to affected accounts.

🔒 Eurail B.V. has acknowledged unauthorized access to its Interrail customer database, potentially exposing identity, contact and passport information for affected customers. The company says there are no indications of misuse or public sharing so far and that investigations are ongoing. Customers who booked under the EU DiscoverEU program may have had copies of identity documents, IBANs and health data accessed. Eurail recommends vigilance and changing passwords for associated accounts.

⚠️ The controversial ICE List doxxing site, launched after an alleged DHS whistleblower provided details on thousands of ICE and Border Patrol officials, has been taken offline by a sustained DDoS attack. Founder Dominick Skinner reported that overwhelming traffic appears to originate from Russian IP addresses routed through proxies, complicating attribution. Skinner and his team are attempting server migrations to restore access but expect the site to remain a target.